1. Symantec/
  2. Security Response/
  3. Hacktool.Rootkit


Risk Level 1: Very Low

September 27, 2001
April 19, 2010 4:26:18 PM
Systems Affected:
Hacktool.Rootkit is a detection name used by Symantec to identify malicious software programs that allows attackers to break into a system and hide the attack from the users.

Background information
Rootkits first appeared on the UNIX operating systems in the 1990's. Rootkit was a term originally used to describe programs that were used primarily to gain root access on a system and hide the traces of the attack. Administrator/Superuser accounts on UNIX systems are called root and the original software used in the attacks were multi-part software tool sets, hence the name "rootkit". The term rootkit is now often used to refer to software that can be used to hide its own presence or the presence of other files and system changes on a computer.

There are two main types of rootkits:

User-mode rootkits:
Applications run by a user accesses the kernel by making system calls. The system calls follow a predefined path, which allows the user-mode rootkits to intercept and manipulate the system call at different points on the path. The user-mode rootkit may also use a DLL injection technique where the malware code is injected into system DLLs. This allows the rootkit to be memory resident since the infected DLL runs in the memory allocated to its related application.

Kernel-mode rootkits:
The kernel-mode rootkit is a more sophisticated type of malicious software since it takes control of the operating system at a low level by hooking the system calls through the following methods:
  • Native APIs using the NTDLL.dll
  • Direct Kernel Object Modification (DKOM)
  • System Call Table like the Service Descriptor Table (SSDT)
  • Export Addresses table (EAT)
  • Interrupt Descriptor Table (IDT)
  • Import Addresses Table (IAT)

Who creates rootkits?
Rootkits are created by malware writers to employ a variety of techniques to gain access to and hide their presence from the users and security-related applications on the compromised computer. The creation of rookits are likely to be an aid to profit making malware operations, by incorporating rootkits into a malware attack, the authors of the malware can hope to enable the malware to remain undetected for longer.

What happens after Hacktool.Rootkit is installed?
Once installed the rootkit will attempt to hide any evidence of the intrusion. Attackers can use them to gain administrator or superuser access or through a remotely accessible back door on the compromised computer to perform virtually any activity without the end user knowing of the presence of the instrusion.

What can Hacktool.Rootkit do?
Once installed a rootkit can gain control of your computer and can be configured to do many actions on the computer, including any of the following:
  • Avoid Detection
  • Hide files and folders
  • Hide malicious code
  • Hide network connections
  • Hide system processes
  • Log keystrokes
  • Modify systems
  • Open a back door
  • Steals confidential information

Are there any tell-tale signs?
Since rootkits go to extensive means to avoid detection, there are typically no tell-tale signs that can be readily seen by the user when using the compromised computer.

What are the risks?
Rootkits pose a relatively high risk of damage or loss to the user if they can remain undetected and active for a significant time. The minimum risk a user may face include the hiding of files or folder and potential performance loss due to activities performed by the malware or remote attacker. The maximum risk a user may experience can include identity theft when confidential information is stolen, use of the computer by a remote attacker to perform illegal activities, and the download and installation of other malwares.

What can I do to minimize the risks?
As a general rule, users should always run up-to-date antivirus software with real-time protection such as Norton Antivirus, Norton Internet Security, Norton 360, or Symantec Endpoint Protection. In addition, a firewall - or better still, an Intrusion Prevention System (IPS) - will help to block back channel activities initiated by these types of malicious programs. Program controls such as those found in Symantec Endpoint Protection can also help to prevent unknown programs such as these from executing in the first place.

How can I find out more?
Advanced users can submit a sample to Threat Expert to obtain a detailed report of the system and file system changes caused by a threat.
Writeup By: Angela Thigpen
Summary| Technical Details| Removal

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
2016 Internet Security Threat Report, Volume 21
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube